What the Nyetya Ransomware Attack Means for Banks

Today the world is still reeling from the global mayhem created by yet another ransomware attack – the bigger, more ruthless brother of the WannaCry attack that took place only six weeks ago. The ransomware has been referred to as Petya, NotPetya, Petrwrap, and GoldenEye. Cisco’s Talos Threat Intelligence Team has identified this new variant of malware that brought industrial giants, governments, and central banks to a grinding halt as Nyetya. Talos Security is regularly updating their Nyetya blog with new information.

Nyetya vs. WannaCry: What’s the difference?

Like WannaCry, Nyetya victims receive a message demanding payment via Bitcoin and are asked to send confirmation of payment to an email address included in the ransom note. Both versions of ransomware attack computers by entering through a “hole,” or vulnerability in Windows. However, several factors are making the Nyetya attack worse:

In addition to this known vulnerability, Nyetya employs two more methods to attack computers laterally. None of the three methods require the user to take an action such as downloading a file or clicking a link.

Nyetya encrypts both the data and the master boot record (like a table of contents for a hard drive), which makes the computer unresponsive and impossible to use.

So far, no “kill switch” has been discovered for Nyetya like the one that stopped WannaCry, which means that no one knows how to stop this attack from spreading.

There is no longer an option for people to contact the attackers for a decryption key to unlock their computer after paying the ransom. Shortly after the attack began, the email provider Posteo shut down the email address.

Does Nyetya have political connections?

According to Cisco’s Talos Threat Intelligence Team, some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. MeDoc is popular across various industries in Ukraine, including financial institutions.

The infection occurred during an automatic update of the software on June 22. The virus spread throughout Ukraine and around the world for five days before the ransomware was launched on June 27, prior to a national holiday.

“Last night in Ukraine, the night before Constitution Day, someone pushed the detonate button,” said Craig Williams, head of Cisco’s Talos threat intelligence unit. “That makes this more of a political statement than just a piece of ransomware. It’s very clear that whoever was behind this would somehow benefit from causing a significant amount of negative business impact on Constitution Day,” Williams added.

Ransomware and Banks

Nyetya hit the National Bank of Ukraine and another national central bank hard. It also crippled many branches and lenders as financial institutions in Ukraine and Russia reported significant system outages early on during the ransomware attack. Many ATMs in the Ukraine were out of order or displayed Nyetya’s ransomware message on their screens.

“The National Bank of Ukraine has warned banks… about an external hacker attack on the websites of some Ukrainian banks… which was carried out today,” Ukraine’s central bank said in a statement on June 27, 2017. “As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations.”

How can banks protect themselves from ransomware?

Aside from making sure that all systems are updated, this event underscores the need for financial services firms to take a closer look at their infrastructure. Hackers get smarter every day and networks should too.

It’s critical to have a secure, intelligent network that constantly learns and evolves to detect issues before they happen and find ways to resolve them automatically. Today’s fully integrated, intelligent, highly secure networks can identify immediately what’s trustworthy and what isn’t–even seemingly benign and routine processes like software updates from trusted accounting software vendors.

Learn more

Read my last blog on the WannaCry ransomware attack to learn more about how ransomware can affect banks and financial services institutions.

Listen to a recorded webinar from Friday, June 30, hosted by Martin Lee, technical lead on Cisco’s Talos threat research team, to understand the latest in the new malware variant, Nyetya. Hear the latest on the attack and steps you can take to strengthen your security.

I have left a major US credit card company and refuse to do any business with them or a subsidiary because they are constantly being compromised. My CCs have been compromised three times over several years, and all of them were owned by the single company. Good article pointing out the sources of these threats.

Thank you Peter. I am sorry to hear about your issues with credit card compromises. I have dealt with it myself as a consumer and it certainly can be a headache to get that straightened out!
I am thankful that as a consumer in the U.S. I am protected from liability for unauthorized credit card transactions by a combination of federal law and the card issuer policy. So financial institutions and merchants assume responsibility for most of the money lost as a result of fraud. I looked it up out of curiosity and card issuers bore a 72% share of fraudulent losses in 2015 and merchants and ATM acquirers assumed the other 28% of liability, according to the Nilson Report, October 2016.
The reason that all of the merchants you shop with converted their card payment processing devices at the checkout lines to "chip card " or EMV reader technology in the last few years, and the card issuers sent you new "chip"/ EMV cards, is due to a change in this liability. Although other parts of the world had already been using this chip technology for years, in the US we were slow to convert.
What finally prompted the changeover was a date late last year wherein responsibility for fraudulent transactions shift to the merchant - your local gas station or grocery store - if the new EMV technology is not used for additional security, instead of the card issuer - Visa or Mastercard for example. No change for the consumer except a new card and hopefully better security.
Payment solutions is a really interesting and quickly evolving line of business.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.